Protect Against Brute-force/Dictionary SSH Attacks

According to the SANS Institute Security Risks Report for 2007, brute-force/dictionary attacks against remote services such as SSH, are one of the Top-20 most common forms of attack on the Internet that compromise servers. In particular, Unix-based and Mac OS X servers that run an SSH service to allow administrators secure remote connections are at risk. The ISO has seen an increased number of systems compromised via brute-Force/dictionary attack. The attacks are continuous and facilitated through the process of improving dictionaries when lax countermeasures are in place. An excessive number of failed log-ins is a sign of brute-force/dictionary attack against your SSH server.

Disable root access - It is a good security practice to disable logins via SSH for the root account. Log in from your non-privileged user account and escalate privilege when and if necessary. SUDO and SU are examples of tools/commands that allow privilege escalation. These provide the added benefit of accountability (i.e. logging) in environments where root access must be shared.

Disable unused services - Disable SSH if it is not in use.

Filter traffic to your SSH server - Whenever possible, filter traffic to your SSH server (with a network or host based firewall) restricting access to only known IP addresses. Restricting access to the campus VPN subnet or a range of IP addresses is a good start for filtering traffic.

Run the SSH server on a non-standard, high port - This will mitigate automated attacks scanning for SSH servers on the default port.

Install and maintain anti-brute-force tools - There are a number of filters and tools that administrators can use to block and protect against brute-force/dictionary attacks. A few are: